Difference between revisions of "Talk:Active Directory Integration"

From ArchWiki
Jump to: navigation, search
(GLOBAL section Incomaptible options)
 
(13 intermediate revisions by 8 users not shown)
Line 1: Line 1:
 +
== PAM / Kerberos update required ==
 +
 
This article was first published on Feb 6th, 2012 based on a previous wiki page called "Arch_Server_and_Active_Directory".
 
This article was first published on Feb 6th, 2012 based on a previous wiki page called "Arch_Server_and_Active_Directory".
  
Line 4: Line 6:
  
 
Perhaps someone who knows what the hell they're doing with Samba and Kerberos AD integration might want to update this documentation, because I don't know how to fix it, nor can I find any useful documentation in any of my Google searches. ([[User:Redscourge|Redscourge]] ([[User talk:Redscourge|talk]]) 20:42, 8 March 2013 (UTC))
 
Perhaps someone who knows what the hell they're doing with Samba and Kerberos AD integration might want to update this documentation, because I don't know how to fix it, nor can I find any useful documentation in any of my Google searches. ([[User:Redscourge|Redscourge]] ([[User talk:Redscourge|talk]]) 20:42, 8 March 2013 (UTC))
 +
 +
:I have found a forum post about this issue, located here: https://bbs.archlinux.org/viewtopic.php?pid=1265595 Also that was not enough by itself, I have made a few changes to my system-login to get sound and graphics (among other things) working (which you can find here: https://bbs.archlinux.org/viewtopic.php?id=162649) By using "idmap config * : range = 10000-33554431" or to control each domain "idmap config DOMAIN : range = 10000-33554431" syntax, you can resolve idmap uid/gid deprecated messages. I'm still stuck on offline logins though. If you follow the instructions, you won't be able to log in without a working AD connection. --[[User:Queljin|Queljin]] ([[User talk:Queljin|talk]]) 15:56, 15 May 2013 (UTC)
 +
 +
== ADS client integration ==
 +
 +
The following thread points to some required Updates to install / configure an Arch system [https://bbs.archlinux.org/viewtopic.php?id=185928 as a ADS-client]. I can't add to it; noting it for reference here. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 08:07, 22 August 2014 (UTC)
 +
 +
== pam_mkhomedir.so ==
 +
 +
[[User:Agartner]] removed mentions of {{ic|pam_mkhomedir.so}} with [https://wiki.archlinux.org/index.php?title=Active_Directory_Integration&diff=371258&oldid=367950] without a reason in the edit summary. Since this violates [[ArchWiki:Contributing#Always_properly_use_the_edit_summary]] I'm reporting the edit here in case somebody had something to object. — [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 11:04, 28 April 2015 (UTC)
 +
: My apologies, this was my first contribution. I just set up Active Directory Integration, and it appears that pam_mkhomedir.so is no longer needed. The functionality is handled by smb and winbind (as defined in pam_winbind.conf and smb.conf) --[[User:Agartner|Agartner]] ([[User talk:Agartner|talk]]) 05:42, 29 April 2015 (UTC)
 +
 +
== A couple of notes on content ==
 +
 +
No major changes (yet), just a few notes about style, technical accuracy, modernization to see what others think (on parts that don't affect me directly, unfortunately).
 +
 +
Updating the GPO: As of Samba4, this should probably be removed (I think). This was definitely necessary in S3, do we still support/care for S3? Can somebody confirm or deny the need for S4?
 +
 +
Updating DNS: There is no guarantee that the DNS servers are a domain controller, or even a windows server for that matter. Perhaps "Active Directory domain controllers" could be replaced by "internal DNS servers. In many small networks, these will be the domain controllers."?
 +
 +
Kerberos: PDC and BDC are old terms that should have died 15 years ago for Windows admins, and at release of Samba4 for us, but live on (and on, and on, and...). There are five FSMO roles now, four of which can be duplicated any number of times. A generic server1 and server2 would be good IMO. Also, the "Let us assume" part is an odd read for me, especially in a technical document. If a scenario is necessary, it should probably be covered in the introduction (unless the scenario must be built inline, and even then, an overview should be provided in the introduction). Finally, does Samba no longer create its own krb5.conf in /var/lib/samba/private/? I'm only looking from the ADDC POV right now, so I don't know. I'll setup a Samba client at some point before making any edits.
 +
 +
Creating a Kerberos Ticket: Rename "Requesting a Kerberos ticket". Also, there are other title capitalization errors elsewhere (including the title of the article), but the important part was creating vs requesting.
 +
 +
Finally, the general flow of the article could use some work. It ''feels'' a little piecemeal to me as you continue further into the additional sections not yet mentioned (probably due to it having major edits by 15 or so users over the past few years).
 +
 +
Objections to any of the above?
 +
 +
{{unsigned|17:07, 6 June 2015‎|DJ L}}
 +
 +
== Issues with shares config ==
 +
Ran into an issue configuring shares today. In {{ic|/etc/samba/smbd.conf}}, {{ic|<nowiki>valid users = ...</nowiki>}} seems to be invalid now. Instead, using {{ic|<nowiki>users = ...</nowiki>}} works. [[User:Morganskier|Morganskier]] ([[User talk:Morganskier|talk]]) 22:55, 4 July 2016 (UTC)
 +
 +
==GLOBAL section==
 +
In samba 4.5.1  is not possible combine
 +
 +
  security = ads
 +
  password server = pdc.example.com
 +
 +
"WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter. (by default Samba will discover the correct DC to contact automatically)."

Latest revision as of 16:35, 9 November 2016

PAM / Kerberos update required

This article was first published on Feb 6th, 2012 based on a previous wiki page called "Arch_Server_and_Active_Directory".

When I follow these instructions, the pam configuration is way different, I end up having to guess that the instructions mean /etc/pam.d/system-auth. Additionally, since the ticket granting ticket expires and winbindd fails to renew it, and since the max lifetime is 7 days anyway, basically the system becomes unable to log in to after a restart. I end up having to mount the arch linux drive in another system, or boot from the install cd, and remove the references to winbind from /etc/nsswitch.conf before I can log into the system again after this happens. Also, testparm complains that idmap uid and idmap gid are deprecated, and that template primary group is an unknown parameter.

Perhaps someone who knows what the hell they're doing with Samba and Kerberos AD integration might want to update this documentation, because I don't know how to fix it, nor can I find any useful documentation in any of my Google searches. (Redscourge (talk) 20:42, 8 March 2013 (UTC))

I have found a forum post about this issue, located here: https://bbs.archlinux.org/viewtopic.php?pid=1265595 Also that was not enough by itself, I have made a few changes to my system-login to get sound and graphics (among other things) working (which you can find here: https://bbs.archlinux.org/viewtopic.php?id=162649) By using "idmap config * : range = 10000-33554431" or to control each domain "idmap config DOMAIN : range = 10000-33554431" syntax, you can resolve idmap uid/gid deprecated messages. I'm still stuck on offline logins though. If you follow the instructions, you won't be able to log in without a working AD connection. --Queljin (talk) 15:56, 15 May 2013 (UTC)

ADS client integration

The following thread points to some required Updates to install / configure an Arch system as a ADS-client. I can't add to it; noting it for reference here. --Indigo (talk) 08:07, 22 August 2014 (UTC)

pam_mkhomedir.so

User:Agartner removed mentions of pam_mkhomedir.so with [1] without a reason in the edit summary. Since this violates ArchWiki:Contributing#Always_properly_use_the_edit_summary I'm reporting the edit here in case somebody had something to object. — Kynikos (talk) 11:04, 28 April 2015 (UTC)

My apologies, this was my first contribution. I just set up Active Directory Integration, and it appears that pam_mkhomedir.so is no longer needed. The functionality is handled by smb and winbind (as defined in pam_winbind.conf and smb.conf) --Agartner (talk) 05:42, 29 April 2015 (UTC)

A couple of notes on content

No major changes (yet), just a few notes about style, technical accuracy, modernization to see what others think (on parts that don't affect me directly, unfortunately).

Updating the GPO: As of Samba4, this should probably be removed (I think). This was definitely necessary in S3, do we still support/care for S3? Can somebody confirm or deny the need for S4?

Updating DNS: There is no guarantee that the DNS servers are a domain controller, or even a windows server for that matter. Perhaps "Active Directory domain controllers" could be replaced by "internal DNS servers. In many small networks, these will be the domain controllers."?

Kerberos: PDC and BDC are old terms that should have died 15 years ago for Windows admins, and at release of Samba4 for us, but live on (and on, and on, and...). There are five FSMO roles now, four of which can be duplicated any number of times. A generic server1 and server2 would be good IMO. Also, the "Let us assume" part is an odd read for me, especially in a technical document. If a scenario is necessary, it should probably be covered in the introduction (unless the scenario must be built inline, and even then, an overview should be provided in the introduction). Finally, does Samba no longer create its own krb5.conf in /var/lib/samba/private/? I'm only looking from the ADDC POV right now, so I don't know. I'll setup a Samba client at some point before making any edits.

Creating a Kerberos Ticket: Rename "Requesting a Kerberos ticket". Also, there are other title capitalization errors elsewhere (including the title of the article), but the important part was creating vs requesting.

Finally, the general flow of the article could use some work. It feels a little piecemeal to me as you continue further into the additional sections not yet mentioned (probably due to it having major edits by 15 or so users over the past few years).

Objections to any of the above?

—This unsigned comment is by DJ L (talk) 17:07, 6 June 2015‎. Please sign your posts with ~~~~!

Issues with shares config

Ran into an issue configuring shares today. In /etc/samba/smbd.conf, valid users = ... seems to be invalid now. Instead, using users = ... works. Morganskier (talk) 22:55, 4 July 2016 (UTC)

GLOBAL section

In samba 4.5.1 is not possible combine

 security = ads
 password server = pdc.example.com

"WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter. (by default Samba will discover the correct DC to contact automatically)."